Cybersecurity regulation in Panama (2026)

Enacted 4 August 2025, Law 478 amends the Penal Code, Code of Criminal Procedure, and Law 11 of 2015 to criminalise digital extortion, sextortion, identity theft, and attacks on critical infrastructure (hospital, banking, energy systems); penalties run 5–10 years imprisonment with a 50 % uplift where ICT tools are used.

Law 81 of 26 March 2019 (Personal Data Protection Law), supplemented by Executive Decree 285 of 2021, requires organisations to notify the National Authority for Transparency and Access to Information (ANTAI) of personal data breaches within 72 hours of becoming aware of the incident.

Approved by AIG Resolution No. 17 and published in Official Digital Gazette No. 29434-A, the strategy establishes four pillars: protecting privacy and rights, deterring cybercrime, securing critical national infrastructure, and building a national cybersecurity culture.

The National Authority for Government Innovation (AIG) hosts CSIRT-Panama, the national computer-security incident-response team. In April 2026 the government activated its first Cyber Monitoring Center following a series of public-sector hacking incidents, expanding real-time threat-detection capacity.

The Superintendency of Banks (SBP) and AIG signed an inter-institutional cybersecurity agreement to share threat intelligence, improve incident reporting, and strengthen digital-security obligations specifically for the financial sector, operating alongside the general data-protection requirements.

Panama participates in the Council of Europe Budapest Convention's 24/7 Network for international cooperation on electronic evidence and cybercrime, a mechanism explicitly reinforced and cited in Law 478 of 2025.